From patchwork Wed Jan 7 11:33:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78204 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0638ECD585A for ; Wed, 7 Jan 2026 11:33:55 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3833.1767785626311574612 for ; Wed, 07 Jan 2026 03:33:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=U0hkADLu; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4775e891b5eso9143835e9.2 for ; Wed, 07 Jan 2026 03:33:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767785625; x=1768390425; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=4hh9VeUa4eSSxc0mlEOwiRCqbb36Y3QNhdDYNLM5K9Y=; b=U0hkADLubLyb94uJV9xjOa9o9WlQAruwB9kd1B21d/EdCkn4psIvZjyUorx8vTzx9z 100m8Y9itaYnTiCWNaFx//KMpEzGI2CWpSwGhdYtM6M84ycT5YX67N55vvH+fR9hU7kz xfbdgy8/S+dvqGicKe86Oe/czSHVq+3m3SU/zPP5ufgYIQ4lngoA1CL8zgnrk7aM7tkh RXGPvBISfb3rW7MPkvDezVfbIhth5Ouvsfv59rjzDdowFx28EApqbQtWRQW7kyKnwMJa xwaW9juVL0gUF5Ul/cU0FqkCpwx1S2UxZP3Jh0vzu91zczWPAOf7PeNzm4NpK/TltRgp /csA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767785625; x=1768390425; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4hh9VeUa4eSSxc0mlEOwiRCqbb36Y3QNhdDYNLM5K9Y=; b=wuoqloGms3OTcfIZx3qe1TUiKfNsqpxMQT5nmv6pZAZ898gMc6hn2j/Ha+DLTGmUrk dwrHmIcYACANJzmLuq7SCIAeXUET4A1NBXvR7INWT9Bb8Gz7BA+GB+j1gej59DkLDQXC BJCVd9+MPzTGY65c1xAliUQ1AnJjnwKdBVZpDEvNQCluRgl07tAo/wfGQlbTudlcb0UX in1QUzvE1o8rDqTCYsbr2PyRnQK6np7ImHO5ye1YQbjNwLcLs32S1mexQm4tpkML+jwr tm8D+YYtd4aQPxod9Ce7OlbNAMWo6W5XQvAYzwqNTZB7R7q+uqz0EwU7Dn2JX9jzo63H 43Iw== X-Gm-Message-State: AOJu0YwZb94eNXUo4E5AfJUn3manfSYg7nz0lFnCv8PlpFLGLwPz3kvW EsnVEVWvKjD0iWcz3oSKjTLR7pDznNOTLYAWdqvXP6+IqxA7rYNyomMO6hPOVw== X-Gm-Gg: AY/fxX5up4iIvkpSK6OOke7SbL+61bCtp3pBzNcEjsJKbWnglE5cJsqScv5GaVSGVxv PaQjzyQxvfcAnhFpDg+0QcfYSwTrxejC/u4ejpaBjqDrXfcnlVRE/fkP452PrzMGI+TNfzABE7/ dmKYRfX3VYjp1Ovr/nhZER7Wo+5/hCggI9PFfy5+9pj3escIPxTsNhDjVsmfwFsmSrmm2RyzrXT jcOzsSQpMkUS2krTVNbQ8d7cWaVeh76sxJrNqyidgsAp6/m1GYhpADYcEo5K8MwWCIt1M/1YHr/ okpE5S7LnRmrLJl0vt32tOLr+xNcvIobjGEgylG131INQ+13b6gQf+30Fl5nd9BQRpq8guoXFGv F+7ON93VslUIPMr5r0REZtVS9s16Y3m4a0gf1VsKHKdSIQmYKX9/1NaxITtx5ehtAglcYrS9OY8 tnM3tyENrF X-Google-Smtp-Source: AGHT+IFtazUGUdB2F2HxsSdwU5L01xmjKEX5r3B7aLuCno/rQaymDwannh+SObl3vpo/iqo32pYFgg== X-Received: by 2002:a05:600c:4ed3:b0:477:afc5:fb02 with SMTP id 5b1f17b1804b1-47d84b34785mr27528075e9.21.1767785624476; Wed, 07 Jan 2026 03:33:44 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd5fe67csm9560266f8f.40.2026.01.07.03.33.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 03:33:43 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 1/2] python3-m2crypto: ignore CVE-2009-0127 Date: Wed, 7 Jan 2026 12:33:42 +0100 Message-ID: <20260107113343.2238185-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 11:33:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123223 Details: https://nvd.nist.gov/vuln/detail/CVE-2009-0127 The vulnerability is disputed[1] by upstream: "There is no vulnerability in M2Crypto. Nowhere in the functions are the return values of OpenSSL functions interpreted incorrectly. The functions provide an interface to their users that may be considered confusing, but is not incorrect, nor it is a vulnerability." [1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127 Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb index 9aac7b344f..efb6c79fa7 100644 --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb @@ -12,6 +12,8 @@ SRC_URI += " \ file://0002-fix-correct-struct-packing-on-32-bit-with-_TIME_BITS.patch \ " +CVE_STATUS[CVE-2009-0127] = "disputed: upstream claims there is no bug" + inherit pypi siteinfo python_setuptools_build_meta DEPENDS += "openssl swig-native" From patchwork Wed Jan 7 11:33:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78205 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 05472CD585D for ; Wed, 7 Jan 2026 11:33:55 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3836.1767785627494182000 for ; Wed, 07 Jan 2026 03:33:47 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Z0MY0V12; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4779cb0a33fso21259985e9.0 for ; Wed, 07 Jan 2026 03:33:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767785626; x=1768390426; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Epd/d6/ShqVbUW34B+gwsc7dhU06YjQ+Ftp256vRpGo=; b=Z0MY0V12bDsyI5XQYgLKUeW5iP3NbEflMhU2rAxZ9aKECjQ12h7qP2vPCB8EWE2pH2 adTOVB7silLPh4rMaSaetPmFIEIy1U8mqLePL9CkXg+8ZVha9z2HmW9vYN1ee88G/hT1 kebBql+HMNEjI4K+sc5RwEc2owB719lRbfzZdZxIMnatK9fIbch6RKlOLqglimqAx/Vw 32HdyWWOpCqEWJGJlLGJ7BnS8By5jZfAUTTgR2O8AdhkVccy/6Prf6MpAXVmHyKgB9Og Ir0oCiy/Oi1ostakzxPguzgZRiQh9vE9/QROtvqL1SehmwfOJ7MEtqEUYyGqc0q72or8 cDlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767785626; x=1768390426; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Epd/d6/ShqVbUW34B+gwsc7dhU06YjQ+Ftp256vRpGo=; b=pScTqtneWCyJAoYXjVRFmPoZ3iXESrpDz6D2r4L2Rgo//VHNVvq+oYo3YIm/AGrMOv koU0rKrC6bUaKXrZsj2tXqoBk7Nyu+au0HyyXKnGOKIvZ4nkgSY7DJaowgWBcXADkpzU ppeKIZGXudfdX/XYhHceN+L2wDctI5Ei2L1++4ev/o7uyW59ol9s4U0kvNfjSPfqhnz8 faQLCiSNene7/JQRWMACteRvwF8toAju+yY1QfW2WcKqrNnwnRyw0LHDLTVqrIoQxHjY jYgyTxRPv+mZj+Fk5geiEd+2FaALV6Nl1ieox18D32puW0gqDFFx8fPDkS3wXshCCcEs taoQ== X-Gm-Message-State: AOJu0YztxyjXpvVhHVI/D6T6TCOxSBenLknT5rnr4f22piJQIQISZjVD frG12/Z29S3FOl5Fa93G6wNiLHcs+wnYGl+PiEkz7XfxdOjLyLszlKiawO2CTQ== X-Gm-Gg: AY/fxX6TiyViFt7braux/1FrdzIIi3yLkFWFWfke5PM/2rz3Zy+vjrLXN2gd6YkoGvh NYrdsy9nwCmM+zVUwp2kc6vRlBWhJbG09QrKbs9sw3B7xf/cW7JXATd2EaaCN0BG9FNULzO6sYa 9GED3Khb1hMPQLZ7zWOuyeVvNvr+maWeCzbDB8f82CMaR7pUj+pEJBHr5eI45wAPKWoz5qqoZDt 24jQGGYJAcnH6t6khjMmfexF4xph9tGkyKxd1Dgv2r8FPtkAdMQOkQMa3VoZId4XT9BFnUsnflP 0b7CKyuyZ+qDWMmJ+kXH/nPfYwQkApa9hur5XrUvqaoou8Oryo1nUxhiPUjcpvzOB7i336WSmxx k9mPa/VXqADekygLLDIAKDjbHDHj8vijtX3l3pIzyCyRq66hwvGmJiFwgtPmrjmiz58WuHR8tKB Pwm23XCJ3t X-Google-Smtp-Source: AGHT+IHZpiCAcbuHVrwxeGwfWxXy07zX0vnZS9XpDI3SeRieejvigEjC4PUVN9yfXoj7x2c2NCpOKg== X-Received: by 2002:a05:600c:8506:b0:477:9ce2:a0d8 with SMTP id 5b1f17b1804b1-47d849bd201mr20733795e9.0.1767785625564; Wed, 07 Jan 2026 03:33:45 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd5fe67csm9560266f8f.40.2026.01.07.03.33.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 03:33:44 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 2/2] python3-m2crypto: mark CVE-2020-25657 as patched Date: Wed, 7 Jan 2026 12:33:43 +0100 Message-ID: <20260107113343.2238185-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260107113343.2238185-1-skandigraun@gmail.com> References: <20260107113343.2238185-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 11:33:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123224 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-25657 The commit[1] that fixes the vulnerability has been part of the package since version 0.39.0 [1]: https://git.sr.ht/~mcepl/m2crypto/commit/84c53958def0f510e92119fca14d74f94215827a Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb index efb6c79fa7..e534d32028 100644 --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb @@ -13,6 +13,7 @@ SRC_URI += " \ " CVE_STATUS[CVE-2009-0127] = "disputed: upstream claims there is no bug" +CVE_STATUS[CVE-2020-25657] = "fixed-version: the used version (0.46.2) contains the fix already" inherit pypi siteinfo python_setuptools_build_meta